HR Should Have a Role In VoIP Implementations

Companies are turning to Voice over Internet Protocol, commonly known as VoIP, as a way to save money on telephone service and improve communications. By the end of 2009, more than 5 million businesses will use VoIP to the tune of $6 billion, according to consulting firm Pike & Fischer’s Broadband Advisory Services. Those numbers may spike if the current economic crisis continues and businesses start moving more aggressively to VoIP, says Scott Sleek, Broadband Advisory Services director.

"The country’s financial problems may accelerate adoption because VoIP allows for efficiencies and savings for many companies," he says. For example, companies that use VoIP can implement a universal in-box, sending and accessing voice mails and e-mails in the same place. But there is a caveat to those benefits. Companies that let IT do all the work without input from human resources may end up with problems that overshadow any cost savings.

Protecting the company VoIP, like other technologies, has security and functionality limitations. The biggest issue stems from the way voice traffic passes from caller to recipient via an Internet connection. Traditional telephone services use dedicated wiring, which means it’s very difficult for someone to intercept or listen in on a conversation. But that’s not always the case with VoIP, says Dan York, best practice chair with industry group Voice over IP Security Alliance. Eavesdropping is easier to do with VoIP than in the public switched telephone network, he says. "The challenge with VoIP is that someone can definitely attack a system across the Internet."

VoIP networks can also be hacked, says Stephanie A. Joyce, of counsel at Washington-based law firm Womble Carlyle Sandridge & Rice. "Hackers are not only hacking into enterprise VoIP systems to eavesdrop; they’re hacking in to get a free ride on their networks and steal minutes," she says. Hackers could also launch denial-of-service attacks, hitting a VoIP network with large amounts of data to impede the flow of voice data traffic and bring a company’s telephone service to a halt.

Hacking aside, the digital voice traffic presents practical issues. Call quality can suffer if companies don’t plan network allocation correctly. Voice traffic is data-heavy, and if every packet isn’t delivered quickly and concurrently, calls sound choppy or drop out altogether.There are also VoIP-related compliance issues, says Peter Hall, principle analyst for the enterprise telecom practice of the research firm Ovum. Certain industries record and store transactional calls as part of compliance efforts; other companies record calls voluntarily to ensure good customer service and create cross-selling and upselling opportunities. But unless the VoIP software or service is set up ahead of time to do this, neither of these things can necessarily happen anymore, he says. "If you’re at a financial services or health care company, and someone is making calls from a VoIP system, they are completely bypassing the system in place to record calls," he says. The threats are even greater for employees who work from home on their own VoIP service, or who use IP telephony on the road.

Doing due diligence The good news is that all of these potential problems can be mitigated, and while it’s up to the IT department to handle the nuts and bolts of the issue, the process needs to start with HR, says attorney Andrew B. Serwin, author of Information Security and Privacy: A Practical Guide to Federal, State and International Law.

HR managers should work with IT even before the technology evaluation process to outline which VoIP features are absolutely necessary for company compliance and privacy requirements, says Serwin, who is also a partner with Foley & Lardner and chair of its privacy, security and information management practice. "You need to speak with IT and make sure that all lines will be secure and from a monitoring perspective, VoIP will be consistent with your company policies and the law," he says.

HR professionals should also ask about installation and support, says Denise Messineo, senior vice president of human resources for Dimension Data Americas, an IT consultancy that uses VoIP for its own telecom service. "Many times employees leave us detailed, very personal messages that we certainly wouldn’t want to be intercepted," she says. "We made sure that we had our own separate server [for voice mail], and that the service was installed with enough bandwidth so the quality of service wouldn’t be different than any other phone service."

Those companies that can’t afford a separate network can ask IT to prioritize network traffic so voice data always comes before other data such as e-mail or file serving.

Planning shouldn’t stop with HR and IT, though. "Anytime you change the way an employee works for you, legal should be consulted," says attorney Joyce of Womble Carlyle Sandridge & Rice. The problem, she says, is that there is a diminished expectation of privacy when using VoIP, and this is something that should be communicated to employees.

"They need to be aware that hacking may occur and eavesdropping can happen. You’ve got to explain to employees that, because of this, you should not use VoIP for extremely company-sensitive or proprietary communication unless the system has been tested and safeguarded completely." That means employees should know that if they are using a residential VoIP system while working at home or a true IP telephony phone like Skype, they should not talk about anything that could do damage if it got out.

This can be easily handled by creating and disseminating a companywide policy related to VoIP communications, says Serwin. "Training is going to be important."